Due to the countless bad actors in the email space, valid senders need to go above and beyond to prove their identity. One of the ways senders can authenticate their identity is through DomainKeys Identified Mail (DKIM), a cryptographic technology that uses a public key and a private key to verify that the sender of the email is responsible for the corresponding domain.
For years, the standard key length was 1024 bit DKIM keys, but hackers continue to develop new methods to break DKIM keys.
We’re excited to announce that Twilio SendGrid now uses 2048 bit keys!
As a result, the National Institute of Standards and Technology (NIST) recommends 2048 bit keys. To ensure our senders have the best possible protection in place, we’re excited to announce that Twilio SendGrid now uses 2048 bit keys.
1024 bit vs. 2048 bit DKIM keys
1024 bit DKIM refers to the key length of 1024 characters. The longer the key length, the more challenging it is for hackers to break the DKIM key. For several years, the standard was 512 bit, but it became very apparent that the 512 bit keys were vulnerable and could easily be cracked.
1024 bit is far more secure, but it’s incredibly important to stay ahead of the game when securing your emails. Many experts believe 1024 bit will become vulnerable over the next few years.
Enter 2048 bit keys. With double the key length, 2048 bit keys provide enhanced tampering protection with the strongest signing for automated security domain authentication. 2048 bit keys are thought to be secure against forms of cryptographic attacks for the next several years.
Is 2048 bit widely supported?
This is a common question since the key length is double that of 1024 bit keys. Some domain name system (DNS) providers have limits on the number of characters, although most fully support the key length of 2048 bit keys. Some of the DNS providers that don’t support 2048 bit keys have unique workarounds, so it’s worth reaching out to them to discuss different solutions.
Set up 2048 bit DKIM keys for your Twilio SendGrid account
Whenever a new DKIM key is created via automatic security in your Twilio SendGrid account, it will be a 2048 bit key. A new DKIM key is created when a new selector is used.
- If you create a new domain authentication, but it uses the same default s1 selector as a previous 1024 bit key, it will reuse the 1024 bit key.
- If you have an existing 1024 bit key, then you’ll need to pick a custom unused selector when creating the new domain authentication to generate a new 2048 bit key.
In your Twilio SendGrid account, go to “Settings” and “Sender Authentication” to create or update your DKIM key (as shown in the image below).
Exception: manual security will not use 2048 bit
Manual security domain authentications in your Twilio SendGrid account will continue to use 1024 bit keys, even if it is a brand new domain authentication. 2048 bit DKIM keys aren’t always supported by DNS providers due to their length. When a user implements manual security, we ask them to put the raw DKIM key on their provider, so there’s a risk that their provider won’t accept it.
When a user sets up automatic security, Twilio SendGrid stores the DKIM key on our DNS provider (who we know supports 2048 bit DKIM keys) and the user points their DNS to our DNS.
For more information on setting up 2048 bit keys for your account, go to our docs article, Migrating to 2048 Bit DomainKeys Identified Mail (DKIM).
Protect your email program with 2048 bit keys
Unfortunately, hackers aren’t going away anytime soon. Brands need to stay one step ahead of bad actors at all times in order to keep their email secure. Implementing 2048 bit DKIM keys will ensure you are taking all steps necessary to protect your domain and your email reputation.